openldap-technical March 2022

openldap-technical@openldap.org

35 participants
38 discussions

OpenLDAP proxy for samba-usage
by lists＠zxt10d.de 22 Mar '22

22 Mar '22

Hello :) Hopefully I'm not completly wrong on this ml, as its not only ldap related, but also samba related. I work at a Chair of a german university. University uses a central LDAP-system for all students, employees, scientists, scientific guests, etc., providing an unique UID for all these peoples, plus many more information. My idea was: setting-up a local OpenLDAP-proxy, so that people of our Chair get access to ressources (eg. via samba) using their unique UID and password, but without setting-up an AD. Many system here are owned by the Chair or University, but lots of students are using their own laptop, so using a AD (and adding them) is not very handy for them ... so, something like a stand-alone samba-server with authentification versus ldap. Is there a chance to get this running? There is no chance to add the schema on a proxy? What I did so far: - I can establish a connection to the central LDAP-system using /etc/pam_ldap.conf uri ldaps://ldap.DOMAIN.de host ldap.DOMAIN.de base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de ldap_version 3 binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de bindpw PASSWORD pam_password crypt ssl start_tls ssl on - I configured /etc/libnss-ldap.conf, and a 'getent passwd' shows all local users plus the members uri ldaps://ldap.DOMAIN.de host ldap.DOMAIN.de base ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de ldap_version 3 binddn cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de bindpw PASSWORD - I also configured /etc/ldap/slapd.conf for proxy usage (I think I did ...), but I learned 2 days ago I can't add any schemata on a proxy ... # Schema includes include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # include /etc/ldap/schema/misc.schema include /etc/ldap/schema/openldap.schema # # # Module modulepath /usr/lib/ldap moduleload back_ldap.la moduleload back_hdb.la moduleload back_mdb moduleload rwm moduleload pcache.la moduleload memberof.la # # Main settings pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args conn_max_pending 1000 sockbuf_max_incoming 4194303 logfile /var/log/ldap/logfile.log #loglevel stats conns filter loglevel any sizelimit unlimited limits * size.pr=0 size.prtotal=none tool-threads 1 # readonly on access to * by * read # # Database defs (proxy to AD) database ldap chase-referrals no rootdn ou=CHAIR,ou=hosts,dc=DOMAIN,dc=de suffix "dc=DOMAIN,dc=de" uri ldap://localhost/ uri ldap://ldap.DOMAIN.de/ uri ldaps://ldap.DOMAIN.de/ acl-bind bindmethod=simple binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD" starttls=yes idassert-bind bindmethod=simple binddn="cn=CHAIRCODE,ou=SECURITY,dc=DOMAIN,dc=de" credentials="PASSWORD" starttls=yes #cancel abandon overlay pcache #proxycache hdb 100000 3 1000 100 proxycache mdb 100000 3 1000 100 pcachePersist TRUE proxyAttrset 0 mail uid gecos proxyTemplate (sn=) 0 3600 proxyTemplate (&(sn=)(givenName=)) 0 3600 #cachesize 20 index objectClass eq index cn,sn,uid,mail pres,eq,sub pcacheAttrset 0 1.1 pcacheTemplate (&(|(objectClass=))) 0 3600 pcacheTemplate (objectClass=*) 0 3600 pcacheAttrset 1 displayname pcacheTemplate (objectClass=*) 1 3600 pcacheAttrset 2 memberOf pcacheTemplate (objectClass=*) 2 3600 conn-ttl 3600 # directory /var/lib/ldap Testing the config works: root@ldap:~# /usr/sbin/slapd -Tt -f /etc/ldap/slapd.conf config file testing succeeded 62398f56 mdb_opinfo_get: err Permission denied(13) root@ldap:~# (I have no idea which Permission is denied) slapd can be started via /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf ldapsearch works fine using '-h localhost' or '-H ldap://ldap.DOMAIN.de', so I think the basic config is not bad at all ... Thanks in advance! Cheers, Torsten

1 0

Re: Backup Mirrormode setup
by Meike Stone 16 Mar '22

16 Mar '22

Am Mi., 16. März 2022 um 21:39 Uhr schrieb Quanah Gibson-Mount <quanah(a)fast-mail.org>: > > > > --On Wednesday, March 16, 2022 10:23 PM +0100 Meike Stone > <meike.stone(a)googlemail.com> wrote: > > > > > We are still using the bdb backend and the latest 2.4.59 (don't ask, > > it will be replaced soon) and I remember, a "few" years ago, I had > > problems with slapcat and online databases, because the server was > > stucking for a while and answers were delayed .. > > (The Admin Guide tells, that "Backups are managed slightly differently" > > ...) Secondly, while offline, I can copy the whole database directory > > including the transaction logs .. > > Ah, ok. Yes, you could set up a read-only consumer node to take backups > from. I'd highly prioritize moving to a supported release of OpenLDAP with > the back-mdb backend as well (I see you say it should be replaced soon). :) > Quanah, thanks for guiding me! Meike

1 0

Re: Backup Mirrormode setup
by Meike Stone 16 Mar '22

16 Mar '22

Am Mi., 16. März 2022 um 19:31 Uhr schrieb Quanah Gibson-Mount <quanah(a)fast-mail.org>: > > > > --On Wednesday, March 16, 2022 7:59 PM +0100 Meike Stone > <meike.stone(a)googlemail.com> wrote: > > > Hello, > > > > what is the right solution to backup a Mirromode setup? > > I've a simple setup with two servers, running in mirromode and a > > virtual IP is moved on "request" between the two servers (nodes). The > > DNS-Name of the virtual IP is used for the client ldap requests. The > > server certificate is issued to the DNS name of the virtual IP, but > > has two SANs for the both node names. The node names will be used for > > replication in mirrormode. Everything is running well. > > Can I set up a third (readonly) server, who only replicates the > > Database from the "mirromode cluster'' using the DNS-Name without > > problems and then shutdown slapd temporarily and splacat the database? > > You don't need to shut down slapd to slapcat the database, so I'm not clear > what the concern is here? You should just do a periodic slapcat. > We are still using the bdb backend and the latest 2.4.59 (don't ask, it will be replaced soon) and I remember, a "few" years ago, I had problems with slapcat and online databases, because the server was stucking for a while and answers were delayed .. (The Admin Guide tells, that "Backups are managed slightly differently" ...) Secondly, while offline, I can copy the whole database directory including the transaction logs .. Thanks Meike

2 1

Backup Mirrormode setup
by Meike Stone 16 Mar '22

16 Mar '22

Hello, what is the right solution to backup a Mirromode setup? I've a simple setup with two servers, running in mirromode and a virtual IP is moved on "request" between the two servers (nodes). The DNS-Name of the virtual IP is used for the client ldap requests. The server certificate is issued to the DNS name of the virtual IP, but has two SANs for the both node names. The node names will be used for replication in mirrormode. Everything is running well. Can I set up a third (readonly) server, who only replicates the Database from the "mirromode cluster'' using the DNS-Name without problems and then shutdown slapd temporarily and splacat the database? Thanks Meike

2 1

migrate from RedHat openldap 2.4 to LTB OpenLdap 2.5
by Aaron Bennett 15 Mar '22

15 Mar '22

Hi, I'm moving from a two-node CentOS 7 cluster running essentially the RedHat openldap-servers build (which I rebuild to use OpenSSL, but otherwise, left alone). I've provisioned a new Rocky Linux 8 system and have installed OpenLDAP 2.5 from the LTB repository, and have moved the old slapd.d directory out of the way and put the slapd.d directory from the old servers in place. If I try to run slapd-cli status, it throws this: olcAttributeTypes: value #8 olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange" config error processing cn={5}samba,cn=schema,cn=config: olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange" slapcat: bad configuration directory! olcAttributeTypes: value #8 olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange" config error processing cn={5}samba,cn=schema,cn=config: olcAttributeTypes: Inconsistent duplicate attributeType: "pwdMustChange" slapcat: bad configuration directory! Looking here: https://ltb-project.org/documentation/migrate_openldap_ltb_24_openldap_ltb_…, it looks like there's more going on. Does anyone have any input as to how to accomplish this? I do need to bring the old data in, ideally without having to make changes to the samba scheme under the hood. Best, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS

3 5

olcLastBind default to true
by Erik de Waard 14 Mar '22

14 Mar '22

$OpenLDAP: slapd 2.5.11 Hi, i've a weird case where olcLastBind defaults to TRUE. When using convert (slaptest) method. and explicit lastbind to off/false has no effect. #Initialize slapd with convert method slaptest -f /etc/openldap/slapd.conf.init -F /etc/openldap/slapd.d/ slapcat -n0 | grep LastBind olcAttributeTypes: ( OLcfgDbAt:0.22 NAME 'olcLastBind' EQUALITY booleanMatch S olcLastMod $ olcLastBind $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcRea olcLastBind: TRUE olcLastBind: TRUE olcLastBind: TRUE olcLastBind: TRUE Tested with minimal config: # stand-alone slapd config include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/test.schema # allow big PDUs from anonymous (for testing purposes) sockbuf_max_incoming 4194303 moduleload back_ldap ####################################################################### # database definitions ####################################################################### database config database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /var/lib/ldap lastbind off database monitor Best regards,

2 1

syncprov-sessionlog-source cn=accesslog
by Michael Ströder 14 Mar '22

14 Mar '22

HI! I wonder what the operational requirements are when using syncprov-sessionlog-source cn=accesslog instead of the in-memory session log. E.g. what about configured logpurge? What happens if the accesslog DB is completely deleted? Ciao, Michael.

3 5

slapo-translucent and syncprov
by Christopher Paul 13 Mar '22

13 Mar '22

Hello openldap-technical, I am wondering about slapo-translucent and syncprov. I am using it to merge RFC2307bis data with an upstream Active Directory Service. It seems to work pretty well. But I notice that the entries added do not get entryuuid or entrycsn values. I guess this sort of makes sense, because the source of truth for (most of) this data is upstream. And so, this means then that syncprov overlay will not work for translucent entries. So I am wondering, what others are doing to replicate and synchronize their translucent data across an OpenLDAP service? I am guessing people probably use some dump and load schemes, which is about all I can think to do at the moment. many thanks, Chris Paul | Rex Consulting | https://www.rexconsulting.net

1 0

secrets storage: userPassword,TLS keys best practices
by Christopher Paul 12 Mar '22

12 Mar '22

Hello openldap-technical, I'm wondering what the OpenLDAP-technical World thinks about LDAP authentication secrets. A couple observations and questions: 1. RFC 4519 allows userPassword to be multi-valued and it gives some rationale which is logical, but it also seems to lack imagination. There seem to be more possibilities for abuse by defining attributeType this way than legitimate use cases. Is there any way to force userPassword to be single-valued? Has anyone attempted this? 2. Assuming you decide to ditch passwords, and use TLS EXTERNAL, you still have the problem of storing the key, and the risk that if the key is stolen, than someone other than you can authenticate as you. Of course store it on storage with permissions and ownership of files set correctly. That goes without being said, but storage is not always perfectly secure or private, so let's not trust it completely. Short lifetimes would be one mitigation. And CRLs of course. What else do people do? 3. Is there anyway to have ldap* commands read the key in from an environment variable or call to gpg/secrets store /etc? Funky alias / bash-wrapper yeah but I'm looking for something less clunky. many thanks, Chris Paul | Rex Consulting | https://www.rexconsulting.net

3 8

Accesslog and Ppolicy overlays
by Benjamin Renard 11 Mar '22

11 Mar '22

Hello, I try to enable accesslog overlay on a database with the overlay ppolicy enabled (with brute-force protection). My goal is to build an historic of users authentication fails and the effect of the ppolicy overlay on their account. I enabled accesslog on the database with logging of the "session" operations and in this case, all users authentication fails are stored as modification of the pwdFailureTime attribute. It's great but I also would also like to have an explicit trace of the bind operation failure (with the error message of ppolicy in reqMessage). I also tried to configure the accesslog overlay on frontend and in this case, I had an explicit trace of the bind failure but no trace of the pwdFailureTime attribute modification. Finally, I tried to configure the accesslog overlay on both frontend and database levels, but accesslog on database seems to take over the other and the result is identical with accesslog configured only on database level. Do you known how I could configure the accesslog overlay to log both bind failure and the pwdFailureTime attribute modification ? Regards, -- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2022